Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
- Idol was a staking-to-rewards protocol that used NFTs for this. There would be some amount in
stETH. As a reward, it would be given to the NFT holders. This uses standard math to calculate the user's balance since the last claim and determine how much value they are owed. - In
transfer()thetoandfromon the call need to have their rewards updated. When doing this, if the user had a value of 0, it would reset the rewards index to 0, as if they had never claimed anything. So, what happens if you transfer to yourself? Infinite money... - The reset performed on the
toof the transfer causes issues with the math checkpointing system for the last claim. By resetting it to 0 and then triggering it again, the rewards are calculated over a longer period than they should be. This only works for a self-transfer because a regular transfer sets the reward timestamp to the current time. - There's actually a second bug in this! There is a check to ensure that only specific white-listed contracts can make the call. Since both the to and from addresses were the same, this was a valid transfer.
- The attack is simple... get an NFT and transfer it to the same contract address over and over again. The attacker did this 14 times from 14 different contracts for a total of 87 calls. All in all, they stole about $340K worth of ETH.
- Overall, a pretty classic bug. The article from Pyro asks a simple question: what happens when you do a transfer to yourself?
